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Abstract This chapter provides an introduction to some basic 
concepts of epistemic logic, basic formal languages, their se¬ 
mantics, and proof systems. It also contains an overview of the 
handbook, and a brief history of epistemic logic and pointers to 
the literature. 


1.1 Introduction to the Book 

This introductory chapter has four goals: 

1. an informal introduction to some basic concepts of epistemic logic; 

2. basic formal languages, their semantics, and proof systems; 

Chapter 1 of the Handbook of Epistemic Logic, H. van Ditmar sch, J.Y. Halpern, W. van 
der Hoek and B. Kooi (eds), College Publications, 2015, pp. [T■! 
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3. an overview of the handbook; and 

4. a brief history of epistemic logic and pointers to the literature. 


In Section [l.2| we deal with the first two items. We provide examples 
that should help to connect the informal concepts with the formal defi¬ 
nitions. Although the informal meaning of the concepts that we discuss 
may vary from author to author in this book (and, indeed, from reader to 
reader), the formal definitions and notation provide a framework for the 
discussion in the remainder of the book. 

we outline how the basic concepts from this chapter are 


In Section 1.3 


further developed in subsequent chapters, and how those chapters relate to 
each other. This chapter, like all others, concludes with a section of notes, 
which gives all the relevant references and some historical background, and 
a bibliography. 


1.2 Basic Concepts and Tools 

As the title suggests, this book uses a formal tool, logic , to study the notion 
of knowledge (“episteme” in Greek, hence epistemic logic ) and belief, and, 
in a wider sense, the notion of information. 

Logic is the study of reasoning, formalising the way in which certain 
conclusions can be reached, given certain premises. This can be done by 
showing that the conclusion can be derived using some deductive system 


(like the axiom systems we present in Section 1.2.5), or by arguing that the 


truth of the conclusion must follow from the truth of the premises (truth 
is the concern of the semantical approach of Section 1.2.2). However, first 


of all, the premises and conclusions need to be presented in some formal 
language , which is the topic of Section |1.2.1 Such a language allows us to 
specify and verify properties of complex systems of interest. 

Reasoning about knowledge and belief, which is the focus of this book, 
has subtleties beyond those that arise in propositional or predicate logic. 
Take, for instance, the law of excluded middle in classical logic, which says 
that for any proposition p, either p or -> p (the negation of p) must hold; 
formally, p V —>p is valid. In the language of epistemic logic, we write K a p 
for ‘agent a knows that p is the case’. Even this simple addition to the 
language allows us to ask many more questions. For example, which of the 
following formulas should be valid, and how are they related? What kind 
of ‘situations’ do the formulas describe? 

• I\ a p V -'Kap 

• K a p V K 0 ->p 








1.2. BASIC CONCEPTS AND TOOLS 


3 


K a (p V ->p) 


• K a p V -i K a ^p 

It turns out that, given the semantics of interest to us, only the first and 
third formulas above are valid. Moreover as we will see below, K a p logically 
implies -<K a -<p, so the last formula is equivalent to ^K a ^p, and says ‘agent 
a considers p possible’. This is incomparable to the second formula, which 
says agent a knows whether p is true’. 

One of the appealing features of epistemic logic is that it goes beyond 
the ‘factual knowledge’ that the agents have. Knowledge can be about 
knowledge, so we can write expressions like K a (K a p —> K a q ) (a knows 
that if he knows that p, he also knows that q) . More interestingly, we can 
model knowledge about other’s knowledge, which is important when we 
reason about communication protocols. Suppose Ann knows some fact m 
(‘we meet for dinner the first Sunday of August’). So we have K a m. Now 
suppose Ann e-mails this message to Bob at Monday 31st of July, and Bob 
reads it that evening. We then have I\bm A KbK a m. Do we have K a Kbm ? 
Unless Ann has information that Bob has actually read the message, she 
cannot assume that he did, so we have (. K a m A -■ K a Ki,m A -i K a -<Kbm). 

We also have K a Kb~'K a Kbm. To see this, we already noted that —<K a Kb 
m, since Bob might not have read the message yet. But if we can deduce 
that, then Bob can as well (we implicitly assume that all agents can do 
perfect reasoning), and, moreover, Ann can deduce that. Being a gentleman, 
Bob should resolve the situation in which ~^K a Kbm holds, which he could 
try to do by replying to Ann’s message. Suppose that Bob indeed replies on 
Tuesday morning, and Ann reads this on Tuesday evening. Then, on that 
evening, we indeed have I\ a KbK a m. But of course, Bob cannot assume 
Ann read the acknowledgement, so we have -iKbK a KbK a ni. It is obvious 
that if Ann and Bob do not want any ignorance about knowledge of m, 
they better pick up the phone and verify m. Using the phone is a good 
protocol that guarantees K a ml\Kbml\K a Kbml\KbK a ml\K a KbK a ml \..., 


a notion that we call common knowledge ; see Section 1.2.2 


The point here is that our formal language helps clarify the effect of a 
(communication) protocol on the information of the participating agents. 
This is the focus of Chapter 12. It is important to note that requirements of 
protocols can involve both knowledge and ignorance: in the above example 
for instance, where Charlie is a roommate of Bob, a goal (of Bob) for the 
protocol might be that he knows that Charlie does not know the message 
(Kb^K c m), while a goal of Charlie might even be K c Kb—'m. Actually, 
in the latter case, it may be more reasonable to write K c Bb^m: Charlie 
knows that Bob believes that there is no dinner on Sunday. A temporal 
progression from Kbm A -i K a Kbm to KbK a m can be viewed as learning. 
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This raises interesting questions in the study of epistemic protocols: given 
an initial and final specification of information, can we find a sequence of 
messages that take us from the former to the latter? Are there optimal 
such sequences? These questions are addressed in Chapter 5, specifically 
Sections 5.7 and 5.9. 

Here is an example of a scenario where the question is to derive a 
sequence of messages from an initial and final specification of information. 
It is taken from Chapter 12, and it demonstrates that security protocols 
that aim to ensure that certain agents stay ignorant cannot (and do not) 
always rely on the fact that some messages are kept secret or hidden. 

Alice and Betty each draw three cards from a pack of seven 
cards, and Eve (the eavesdropper) gets the remaining card. Can 
players Alice and Betty learn each other’s cards without reveal¬ 
ing that information to Eve? The restriction is that Alice and 
Betty can make only public announcements that Eve can hear. 

We assume that (it is common knowledge that) initially, all three agents 
know the composition of the pack of cards, and each agent knows which 
cards she holds. At the end of the protocol, we want Alice and Betty to 
know which cards each of them holds, while Eve should know only which 
cards she (Eve) holds. Moreover, messages can only be public announce¬ 
ments (these are formally described in Chapter 6), which in this setting 
just means that Alice and Betty can talk to each other, but it is com¬ 
mon knowledge that Eve hears them. Perhaps surprisingly, such a protocol 
exists, and, hopefully less surprisingly by now, epistemic logic allows us 
to formulate precise epistemic conditions, and the kind of announcements 
that should be allowed. For instance, no agent is allowed to lie, and agents 
can announce only what they know. Dropping the second condition would 
allow Alice to immediately announce Eve’s card, for instance. Note there 
is an important distinction here: although Alice knows that there is an 
announcement that she can make that would bring about the desired state 
of knowledge (namely, announcing Eve’s card), there is not something that 
Alice knows that she can announce that would bring about the desired state 
of knowledge (since does not in fact know Eve’s card). This distinction has 
be called the de dicto/de re distinction in the literature. The connections 
between knowledge and strategic ability are the topic of Chapter 11. 

Epistemic reasoning is also important in distributed computing. As 
argued in Chapter 5, processes or programs in a distributed environment 
often have only a limited view of the global system initially; they gradually 
come to know more about the system. Ensuring that each process has 
the appropriate knowledge needed in order to act is the main issue here. 
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The chapter mentions a number of problems in distributed systems where 
epistemic tools are helpful, like agreement problems (the dinner example of 
Ann and Bob above would be a simple example) and the problem of mutual 
exclusion, where processes sharing a resource must ensure that only one 
process uses the resource at a time. An instance of the latter is provided in 
Chapter 8, where epistemic logic is used to specify a correctness property of 
the Railroad Crossing System. Here, the agents Train, Gate and Controller 
must ensure, based on the type of signals that they send, that the train is 
never at the crossing while the gate is ‘up’. Chapter 8 is on model checking; 
it provides techniques to automatically verify that such properties (specified 
in an epistemic temporal language; cf. Chapter 5) hold. Epistemic tools 
to deal with the problem of mutual exclusion are also discussed in Chapter 
11, in the context of dealing with shared file updates. 

Reasoning about knowing what others know (about your knowledge) 
is also typical in strategic situations, where one needs to make a decision 
based on how others will act (where the others, in turn, are basing their 
decision on their reasoning about you). This kind of scenario is the focus 
of game theory. Epistemic game theory studies game theory using notions 
from epistemic logic. (Epistemic game theory is the subject of Chapter 9 
in this book.) Here, we give a simplified example of one of the main ideas. 
Consider the game in Figure E3 



Figure 1.1: A simple extensive form game. 
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This model represents a situation where two players, a and b, take turns, 
with a starting at the top node A. If a plays l (‘left’) in this node, the game 
ends in node B and the payoff for a is 1 and that for b is 4. If a, however, 
plays r in A, the game proceeds to node C, where it is 6’s turn. Player 
b has a choice between playing L and R (note that we use upper case to 
distinguish Vs moves from a’s moves). The game continues until a terminal 
node is reached. We assume that both players are rational ; that is, each 
prefers a higher outcome for themselves over a lower one. What will a play 
in the start node A? 

One way to determine what will happen in this game is to use backward. 
Consider node E. If that node is reached, given that a is rational (denoted 
rata), a, will play l here, since she prefers the outcome 4 over 3 (which she 
would get by playing r). Now consider node C. Since b knows that a is 
rational, he knows that his payoff when playing R at C is 1. Since b is 
rational, and playing L in C gives him 2, he will play L. The only thing 
needed to conclude this is (ra4 A_K),raf a ). Finally, consider node A. Player 
a can reason as we just did, so a knows that she has a choice between the 
payoff of 2 she would obtain by playing r and the payoff of 1 she would 
obtain by playing l. Since a is rational, she plays r at A. Summarising, the 
condition that justifies a playing r at A and b playing L at B is 

rat a A K a ratb A K a Kbrat a A rat A K^rata 

This analysis predicts that the game will end in node D. Although 
this analysis used only ‘depth-two’ knowledge (a knows that b knows), to 
perform a similar analysis for longer variants of this game requires deeper 
and deeper knowledge of rationality. In fact, in many epistemic analyses 
in game theory, common knowledge of rationality is assumed. The con¬ 
tribution of epistemic logic to game theory is discussed in more detail in 
Chapter 9. 


1.2.1 Language 


Most if not all systems presented in this book extend propositional logic. 
The language of propositional logic assumes a set At of primitive (or atomic) 
propositions, typically denoted p,q ,..., possibly with subscripts. They 
typically refer to statements that are considered basic; that is, they lack 
logical structure, like ‘it is raining’, or ‘the window is closed’. Classical 
logic then uses Boolean operators, such as -i (‘not’), A (‘and’), V, (‘or’), —> 
(‘implies’), and 0 (‘if and only if’), to build more complex formulas. Since 
all those operators can be defined in terms of A and —i (see Definition 1.2), 


the formal definition of the language often uses only these two connectives. 
Formulas are denoted with Greek letters: ip, ip, a ,.... So, for instance, 
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while ( p A q ) is the conjunction of two primitive propositions, the formula 
(<p A V’) is a conjunction of two arbitrary formulas, each of which may have 
further structure. 

When reasoning about knowledge and belief, we need to be able to refer 
to the subject, that is, the agent whose knowledge or belief we are talking 
about. To do this, we assume a finite set Ag of agents. Agents are typically 
denoted a, b, ..., i, j,. .., or, in specific examples, Alice , Bob ,.... To reason 
about knowledge, we add operators I\ a to the language of classical logic, 
where K a p denotes ‘agent a knows (or believes) p\ We typically let the 
context determine whether K a represents knowledge or belief. If it is nec¬ 
essary to reason knowledge and belief simultaneously, we use operators K a 
for knowledge and B a for belief. Logics for reasoning about knowledge are 
sometimes called epistemic logics, while logics for reasoning about belief 
are called doxastic logics, from the Greek words for knowledge and belief. 
The operators K a and B a are examples of modal operators. We sometimes 
use □ or D a to denote a generic modal operator, when we want to discuss 
general properties of modal operators. 

Definition 1.1 (An Assemblage of Modal Languages) 

Let At be a set of primitive propositions, Op a set of modal operators, and 
Ag a set of agent symbols. Then we define the language L(At, Op,Ag) by 
the following BNF: 

ip:=p | -.<£ | (pAp) | Hip, 

where p £ At and □ £ Op. H 

Typically, the set Op depends on Ag. For instance, the language for 
multi-agent epistemic logic is L(At,Op, Ag), with Op = {K a \ a £ Ag}, that 
is, we have a knowledge operator for every agent. To study interactions 
between knowledge and belief, we would have Op = {K a , B a \ a £ Ag}. The 
language of propositional logic, which does not involve modal operators, is 
denoted L(At); propositional formulas are, by definition, formulas in L(At). 

Definition 1.2 (Abbreviations in the Language) 

As usual, parentheses are omitted if that does not lead to ambiguity. The 
following abbreviations are also standard (in the last one, A C Ag). 


description/name 

definiendum 

definiens 

false 

T 

p A ->p 

true 

T 

-i± 

disjunction 

p\/ ip 

-'(-'¥’ A-^) 

implication 

p — > 

-i ip V if 

dual of K 

M a ip or K a p 

-'Ka-'P 

everyone in A knows 

E A p 

AaeA KaP 
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Note that M a ip , which say ‘agent a does not know —up’’, can also be read 
‘agent a considers ip possible’. H 


Let □ be a modal operator, either one in Op or one defined as an 
abbreviation. We define the nth iterated application of □, written as 
follows: 

□V = V and CT+V = DD V 

We are typically interested in iterating the Ea operator, so that we can 
talk about ‘everyone in A knows’, ‘everyone in A knows that everyone in A 
knows’, and so on. 

Finally, we define two measures on formulas. 

Definition 1.3 (Length and modal depth) 

The length \ ip | and the modal depth d(ip) of a formula ip are both defined 
inductively as follows: 


\P\ 

I 

\(t a VO I 

I U aV | 


1 and d(p) = 0 

|</?| +1 and d(~np) = d(ip) 

\ip\ + \if\+l and d(<p/\il>) = max{d{ip), d(if)} 

|</?|+1 and d(Oip) = 1 + d(ip). 


In the last clause, n a is a modal operator corresponding to a single agent. 
Sometimes, if A C Ag is a group of agents and Oa is a group operator (like 
Ea, Da or Ca ), | □aV’I depends not only on ip, but also on the cardinality 
of A. H 


So, | D a (qA ObP) |= 5 and d(O a (q A Dfop)) = 2. Likewise, | O a q A 06^1= 5 
while d{p a q A O b p) = 1. 


1.2.2 Semantics 

We now define a way to systematically determine the truth value of a for¬ 
mula. In propositional logic, whether p is true or not ‘depends on the 
situation’. The relevant situations are formalised using valuations, where a 
valuation 

V : At {true, false} 

determines the truth of primitive propositions. A valuation can be ex¬ 
tended so as to determine the truth of all formulas, using a straightforward 
inductive definition: ip A if is true given V iff each of ip and if is true given 
V, and —up is true given V iff ip is false given V. The truth conditions 
of disjunctions, implications, and bi-implications follow directly from these 
two clauses and Definition |1.2| To model knowledge and belief, we use ideas 
that go back to Hintikka. We think of an agent a as considering possible 


1.2. BASIC CONCEPTS AND TOOLS 


9 


a number of different situations that are consistent with the information 
that the agent has. Agent a is said to know (or believe) <p, if is true in all 
the situations that a considers possible. Thus, rather than using a single 
situation to give meaning to modal formulas, we use a set of such situations; 
moreover, in each situation, we consider, for each agent, what other situ¬ 
ations he or she considers possible. The following example demonstrates 
how this is done. 


Example 1.1 

Bob is invited for a job interview with Alice. They have agreed that it 
will take place in a coffeehouse downtown at noon, but the traffic is quite 
unpredictable, so it is not guaranteed that either Alice or Bob will arrive 
on time. However, the coffeehouse is only a 15-minute walk from the bus 
stop where Alice plans to go, and a 10-minute walk from the metro station 
where Bob plans to go. So, 10 minutes before the interview, both Alice and 
Bob will know whether they themselves will arrive on time. Alice and Bob 
have never met before. A Kripke model describing this situation is given 


in Figure 1.2 


a,b a,b 



Figure 1.2: The Kripke model for Example E3 


Suppose that at 11:50, both Alice and Bob have just arrived at their 
respective stations. Taking t. a and tb to represent that Alice (resp., Bob) 


arrive on time, this is a situation (denoted w in Figure 1.2) where both t a 
and tb are true. Alice knows that t a is true (so in w we have K a t a ), but she 
does not know whether tb is true; in particular, Alice considers possible the 
situation denoted v in Figure [L2| where t a /\^tb holds. Similarly, in w, Bob 
considers it possible that the actual situation is s, where Alice is running 
late but Bob will make it on time, so that —i t a A tb holds. Of course, in s, 
Alice knows that she is late; that is, K a -^t a holds. Since the only situations 
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that Bob considers possible at world w are w and s, he knows that he 
will be on time ( Kbtb ), and knows that Alice knows whether or not she is 
on time ( Ki(K a t a V K a ^t a ))- Note that the latter fact follows since K a t a 
holds in world w and K a —it a holds in world s, so K a t a V K a —>t a holds in 
both worlds that Bob considers possible. H 


This, in a nutshell, explains what the models for epistemic and doxastic 
look like: they contain a number of situations, typically called states or 
(possible) worlds, and binary relations on states for each agent, typically 
called accessibility relations. A pair (v, w ) is in the relation for agent a if, 
in world v , agent a considers state w possible. Finally, in every state, we 
need to specify which primitive propositions are true. 

Definition 1.4 (Kripke frame, Kripke model) 

Given a set At of primitive propositions and a set Ag of agents, a Kripke 
model is a structure M = ( S , f? Ag , K At ), where 

• S / 0 is a set of states, sometimes called the domain of M, and 
denoted V(M); 

• f? Ag is a function, yielding an accessibility relation R a C S x S for 
each agent a E Ag; 

• V' At : S —> (At —> {true, false}) is a function that, for all p E At and 
s E S, determines what the truth value V At (s)(p) of p is in state s 
(so V At (s) is a propositional valuation for each s E S). 

We often suppress explicit reference to the sets At and Ag, and write M = 
(S,R,V ), without upper indices. Further, we sometimes write sR a t or 
R a st rather than (s,t) E R a , and use R a (s ) or R a s to denote the set 
{t E S | R a st}. Finally, we sometimes abuse terminology and refer to V as 
a valuation as well. 

The class of all Kripke models is denoted /C. We use K m to denote the 
class of Kripke models where j Ag |= m. A Kripke frame F = (S, R) focuses 
on the graph underlying a model, without regard for the valuation. H 


More generally, given a modal logic with a set Op of modal operators, 
the corresponding Kripke model has the form M = (S, R 0p ,V At ), where 
there is a binary relation Rn for every operator □ E Op. Op may, for 
example, consist of a knowledge operator for each agent in some set Ag and 
a belief operator for each agent in Ag. 

Given Example 1.1 and Definition |1.4[ it should now be clear how the 
truth of a formula is determined given a model M and a state s. A pair 
(M, s ) is called a pointed model, we sometimes drop the parentheses and 
write M, s. 
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Definition 1.5 (Truth in a Kripke Model) 

Given a model M = (S,R Ag ,V At ), we define what it means for a formula 
ip to be true in (M, s), written M, s \= ip, inductively as follows: 


M,s 

1 =P 

iff 

V(s)(p) = 

= true for p G At 

M,s 

\= ip A tp 

iff 

M, s \= ip 

and M, s |= if) 

M,s 

1= 

iff 

not M, s 

= ip (often written M, s \/= ip) 

M,s 

|= K a ip 

iff 

M, t = ip 

for all t such that R a st. 

More generally, if M - 

= (S, 

R° p, E At ) 

, then for all □ G Op: 


M, s \= Oip iff (M, t) \= ip for all t such that Rnst. 


Recall that M a is the dual of K a \ it easily follows from the definitions that 


M, s |= M a tp iff there exists some t such that R a st and M, t |= ip. 


We write M |= ip if M, s \= ip for all s € S. 


Example 1.2 

Consider the model of Figure 1.2 Note that K a p\J K a ^p represents the fact 
that agent a knows whether p is true. Likewise, M a p A M a ~<p is equivalent 
to -lit a -ip A -■ K a p\ agent a is ignorant about p. We have the following (in 
the final items we write E ab instead of E^ a b y): 


1. (M, s) |= 4 : truth of a primitive proposition in s. 

2. M, s \= (-it a A K a -it a A -iK^-ita) A (4 A -i K a t b A K b t b )'. at s, a knows 
that t a is false, but b does not; similarly, b knows that 4 is true, but 
a does not. 


3. M |= K a (K b t b \/ Kb~itb) AK b (K a t a V K a -it a ): in all states of M, agent 
a knows that b knows whether 4 is true, and b knows that a knows 
whether t a is true. 

4. M \= K a (M b tb A Mf,-i4) A Kb(M a t a A M a -it a ) in all states of M, agent 
a knows that b does not know whether t a is true, and b knows that a 
does not know whether 4 is true. 

5. M \= E ab ((K a t a V K a -it a ) A (M a t b A M a ->4)): in all states, everyone 
knows that a knows whether t a is true, but a does not know whether 
4 is true. 

6. M \= E ab E ab ( (K a t a V a) A (M a 4 a Mo-4)): in all states, everyone 

knows what we stated in the previous item. 
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This shows that the model M of Figure [L2] is not just a model for a situation 
where a knows t a but not tb and agent b knows tb but not t a ; it represents 
much more information. H 


As the following example shows, in order to model certain situations, 
it may be necessary that some propositional valuations occur in more than 
one state in the model. 

Example 1.3 

Recall the scenario of the interview between Alice and Bob, as presented in 
Example 0 Suppose that we now add the information that in fact Alice 
will arrive on time, but Bob is not going to be on time. Although Bob does 
not know Alice, he knows that his friend Carol is an old friend of Alice. Bob 
calls Carol, leaving a message on her machine to ask her to inform Alice 
about Bob’s late arrival as soon as she is able to do so. Unfortunately 
for Bob, Carol does not get his message on time. This situation can be 


represented in state M, v of the model of Figure 1.3 


a, b a,b a,b 



Figure 1.3: The Kripke model for 


Example 


1.3 


Note that in (M,v), we have ^I\ a ^tb (Alice does not know that Bob 
is late), but also Mb(K a -'tb) (Bob considers it possible that Alice knows 
that Bob is late). So, although the propositional valuations in v and v' are 
the same, those two states represent different situations: in v agent a is 
uncertain whether ->tb holds, while in v' she knows —>tb- Also, in M,v, Bob 
considers it possible that both of them will be late, and that Alice knows 
this: this is because Rbvu' holds in the model, and M, v! |= K a (^t a /\^tb) -~\ 

We often impose restrictions on the accessibility relation. For example, 
we may want to require that if, in world v, agent a considers world w possi- 
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ble, then in w, agent a should consider v possible. This requirement would 
make R a symmetric. Similarly, we might require that, in each world w, a 
considers w itself possible. This would make R a reflexive. More generally, 
we are interested in certain subclasses of models (typically characterized by 
properties of the accessibility relations). 

Definition 1.6 (Classes of models, validity, satisfiability) 

Let X be a class of models, that is, X C 1C. If M |= <p for all models M in 
X, we say that cp is valid in X, and write X |= tp. For example, for validity 
in the class of all Kripke models /C, we write 1C \= p. We write X \f= p> when 
it is not the case that X \ = ip. So X \f= p> holds if, for some model M £ X 
and some s £ D(M), we have M, s |= —up. If there exists a model M £ X 
and a state s £ D(M) such that M, s \= ip, we say that ip is satisfiable in 
X. H 

We now define a number of classes of models in terms of properties of the 
relations R a in those models. Since they depend only on the accessibility 
relation, we could have defined them for the underlying frames; indeed, the 
properties are sometimes called frame properties. 

Definition 1.7 (Frame properties) 

Let R be an accessibility relation on a domain of states S. 

1. R is serial if for all s there is a 1 such that Rst. The class of se¬ 
rial Kripke models, that is, {M = (S , R, V) | every R a is serial} is 
denoted IC'D. 

2. R is reflexive if for all s, Rss. The class of reflexive Kripke models is 
denoted JCT. 

3. R is transitive if for all s, t, u, if Rst and Rtu then Rsu. The class of 
transitive Kripke models is denoted /C4. 

4. R is Euclidean if for all s , t, and u, if Rst and Rsu then Rtu. The 
class of Euclidean Kripke models is denoted 1C 5 

5. R is symmetric if for all s, t, if Rst then Rts. The class of symmetric 
Kripke models is denoted JCB 

6. We can combine properties of relations: 

(a) The class of reflexive transitive models is denoted 54. 

(b) The class of transitive Euclidean models is denoted K, 45. 

(c) The class of serial transitive Euclidean models is denoted fCD 45. 
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(d) R is an equivalence relation if R is reflexive, symmetric, and 
transitive. It not hard to show that R is an equivalence relation 
if R is reflexive and Euclidean. The class of models where the 
relations are equivalence relations is denoted 55. 

As we did for JC m , we sometimes use the subscript m to denote the number 
of agents, so 55 m , for instance, is the class of Kripke models with j Ag |= 
m. H 


Of special interest in this book is the class 55. In this case, the accessi¬ 
bility relations are equivalence classes. This makes sense if we think of R a st 
holding if s and t are indistinguishable by agent a based on the information 
that a has received. 55 has typically been used to model knowledge. In 
an 55 model, write s ~ a t rather than R a st , to emphasize the fact that R a 
is an equivalence relation. When it is clear that M E 55, when drawing 
the model, we omit reflexive arrows, and since the relations are symmetric, 
we connect states by a line, rather than using two-way arrows. Finally, 
we leave out lines that can be deduced to exist using transitivity. We call 
this the S5 representation of a Kripke model. Figure 1.4 shows the S5 
representation of the Kripke model of Figure [L3| 



Figure 1.4: The S5 representation of the Kripke model in Figure 1.3 


When we restrict the classes of models considered, we get some inter¬ 
esting additional valid formulas. 


Theorem 1.1 (Valid Formulas) 

Parts (c)-(i) below are valid formulas, where a is a substitution instance 
of a propositional tautology (see below), p and ip are arbitrary formulas, 
and X is one of the classes of models defined in Definition 1.7 parts (a), 
(b), and (j) show that we can infer some valid formulas from others. 


(a) If X |= ip — > ip and X (= ip, then X |= ip. 

(b) If X |= (p then X \ = Kip. 
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(c) 

(d) 

(e) 

(f) 

(g) 

(h) 

(i) 

(j) 


X |= a. 

X |= K(ip —> ip) —•> (Kip —> ip). 

IC'D |= Kip —> Mip. 

T |= Kip — > ip. 

AC 4 |= ICip -> KKip. 

K 5 |= -iA> -> K-iK<p. 

KB \=ip^ KMip. 

If X C T then T j= ip implies that A (= (/?. 


H 


Since 55 is the smallest of the classes of models considered in Definition 1.7 


it easily follows that all the formulas and inference rules above are valid 
in 55. To the extent that we view 55 as the class of models appropriate 
for reasoning about knowledge, Theorem 1.1 can be viewed as describing 
properties of knowledge. As we shall see, many of these properties apply 
to the standard interpretation of belief as well. 

Parts (a) and (c) emphasise that we represent knowledge in a logi¬ 
cal framework: modus ponens is valid as a reasoning rule, and we take 
all propositional tautologies for granted. In part (c), a is a substitution 
instance of a propositional tautology. For example, since p V ->p and 
P (q p) are propositional tautologies, a could be Kp V ~>Kp or 
K(pV q) —> (Kr —> K(pC q)). That is, we can substitute an arbitrary 
formula (uniformly) for a primitive proposition in a propositional tautol¬ 
ogy. Part (b) says that agents know all valid formulas, and part (d) says 
that an agent is able to apply modus ponens to his own knowledge. Part 
(e) is equivalent to Kip —> —i K—np; an agent cannot at the same time know a 
proposition and its negation. Part (f) is even stronger: it says that what an 
agent knows must be true. Parts (g) and (h) represent what has been called 
positive and negative introspection , respectively: an agent knows what he 
knows and what he does not know. Part (i) can be shown to follow from 
the other valid formulas; it says that if something is true, the agent knows 
that he considers it possible. 


Notions of Group Knowledge 

So far, all properties that we have encountered are properties of an indi¬ 
vidual agent’s knowledge, such as Ea, defined above. In this section we 
introduce two other notions of group knowledge, common knowledge Ca 
and distributed knowledge Da, and investigate their properties. 
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Example 1.4 (Everyone knows and distributed knowledge) 

Alice and Betty each has a daughter; their children can each either be at 
the playground (denoted p a and p b , respectively) or at the library (—, 
and -■ pb, respectively). Each child has been carefully instructed that, if she 
ends up being on the playground without the other child, she should call 
her mother to inform her. Consider the situation described by the model 
M in Figure p~5j 



Figure 1.5: The (S5 representation of the) model for Example 1.4 


We have 


M |= ((-.p a A Pb) «4 Kair^Pa A Pb)) A ((p a A i p b ) O I<b(Pa A -i p b )). 

This models the agreement each mother made with her daughter. Now 
consider the situation at state s. We have M,s \= K a ^(p a A ~^p b ), that 
is, Alice knows that it is not the case that her daughter is alone at the 
playground (otherwise her daughter would have informed her). What does 
each agent know at s? If we consider only propositional facts, it is easy 
to see that Alice knows p a -4 pb and Betty knows p b -4 p a . What does 
everyone know at s? The following sequence of equivalences is immediate 
from the definitions: 

M ,S \= 

iff M, s \= K a <p A K b p 

iff \/x(R a sx M, x |= ip) and \/y(Rbsy =4- M, y \= (p) 
iff Vx G {s, w, t} (M, x j= <p) and My G {s, u, t} (M, y |= <p) 
iff M \= <p. 

Thus, in this model, what is known by everyone are just the formulas valid 
in the model. Of course, this is not true in general. 

Now suppose that Alice and Betty an opportunity to talk to each other. 
Would they gain any new knowledge? They would indeed. Since M, s |= 
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K a (p a —> Pb) A Kb(pb —t Pa), they would come to know that p a -H- pb holds; 
that is, they would learn that their children are at least together, which 
is certainly not valid in the model. The knowledge that would emerge if 
the agents in a group A were allowed to communicate is called distributed 
knowledge in A, and denoted by the operator Da- In our example, we 
have M, s |= D^ a ^{jp a ^ p b ), although M, s |= -i K a (p a Pb) A -i K b (p a ^ 
Pb). In other words, distributed knowledge is generally stronger than any 
individual’s knowledge, and we therefore cannot define Da<P as Vie.4 
the dual of general knowledge that we may have expected; that would be 
weaker than any individual agent’s knowledge. In terms of the model, 
what would happen if Alice and Betty could communicate is that Alice 
could tell Betty that he should not consider state u possible, while Betty 
could tell Alice that she should not consider state w possible. So, after 
communication, the only states considered possible by both agents at state 
s are s and t. This argument suggests that we should interpret Da as 
the necessity operator (D-type modal operator) of the relation f) a&A Ra¬ 
lly way of contrast, it follows easily from the definitions that Ea can be 
interpreted as the necessity operator of the relation \J a&A R» - H 

The following example illustrates common knowledge. 

Example 1.5 (Common knowledge) 

This time we have two agents: a sender (s) and a receiver (r). If a message 
is sent, it is delivered either immediately or with a one-second delay. The 
sender sends a message at time to- The receiver does not know that the 
sender was planning to send the message. What is each agent’s state of 
knowledge regarding the message? 

To reason about this, let s z (for zGZ) denote that the message was sent 
at time t-o + z, and, likewise, let d z denote that the message was delivered at 
time t = z. Note that we allow 2 : to be negative. To see why, consider the 
world wo,o where the message arrives immediately (at time to). (In general, 
in the subscript (i,j) of a world vp.j, i denotes the time that the message 
was sent, and j denotes the time it was received.) In world wofi, the receiver 
considers it possible that the message was sent at time to — 1. That is, the 
receiver considers possible the world W-ip where the message was sent at 
to — 1 and took one second to arrive. In world w-ifl, the sender considers 
possible the world w- 1-1 where the message was sent at time to — 1 and 
arrived immediately. And in world w- 1 - 1 , the receiver considers possible 
a world w- 2,-1 where the message as sent at time to — 2. (In general, in 
world w n ,m, the message is sent at time t-o + n and received at time to + rri.) 
In addition, in world wo,o, the sender considers possible world w 0 , 1 , where 
the message is received at time to + 1. The situation is described in the 
following model M. 
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(s 0 ,<M- 


-{s- 1, d 0 )-(s —i , d-i) -(s_2, d-i)-(s_2, d-i) 


( s 0i d \)-(si, rfi)-(si, d^) -(S2, <fe)-($2, <L)- 


Figure 1.6: The (S5 representation of the) model for Example 1.5 


Writing E for ‘the sender and receiver both know’, it easily follows that 

M. Wo,o | = So A do A —1E—1S—1 A —<E—idi A —iE^—iS— 2 - 

The notion of p being common knowledge among group A, denoted 
Cap, is meant to capture the idea that, for all n, E n p is true. Thus, p is 
not common among A if someone in A considers it possible that someone in 
A considers it possible that ... someone in A considers it possible that p is 
false. This is formalised below, but the reader should already be convinced 
that in our scenario, even if it is common knowledge among the agents that 
messages will have either no delay or a one-second delay, it is not common 
knowledge that the message was sent at or after time to — m for any value 
of m\ H 

Definition 1.8 (Semantics of three notions of group knowledge) 

Let A C Ag be a group of agents. Let Re a = U a£j 4 l? a . As we observed 
above, 


(M, s ) |= EaP iff for all t such that RE A st, we have (M, t ) |= p. 
Similarly, taking Rd a = O a£ ARa, we have 

(M, s) \= DaP iff for all t such that Ro A st , we have (M, t) \= p. 


Finally, recall that the transitive closure of a relation R is the smallest 
relation R + such that R C R + , and such that, for all x,y, and z, if R + xy 
and R + yz then R + xz. We define Rc A as R% = (UaeA^a) + - Note that, 
every pair of states is in the relation 

^{r,s} 


in Figure 


1.6 


In general, we 


have Rc A st iff there is some path s = so, s \,..., s n = t from s to i such 
that n > 1 and, for all i < n, there is some agent a G A for which R a SiSi+ 1 . 
Define 


(M, s) |= Cap iff for all t such that Rc A st , (M, t) \= p. 

It is almost immediate from the definitions that, for a G A, we have 

JC |= ( Cap -> E A p) A ( E A p K a p) A (K a p ->• D A p). (1.1) 
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Moreover, for T (and hence also for 54 and 55), we have 


T 1= D a ip -> c p. 


The relative strengths shown in 0 are strict in the sense that none 
of the converse implications are valid (assuming that A ^ {a}). 

We conclude this section by defining some languages that are used 
later in this chapter. Fixing At and Ag, we write Lx for the language 
L(At, Op, Ag), where 


X = K if Op = [K 0 | a E Ag} 

X = CK if Op = {K a , C A | a E Ag, A C Ag} 

X = DK if Op = {K a , D a \ a E Ag, A C Ag} 

X = CDK if Op = [K a , C A . D a \ a E Ag, A C Ag} 

X = EI< if Op = {K a , E a | a E Ag, A C Ag}. 


Bisimulation 


It may well be that two models ( M, s ) and (AT, s') ‘appear different’, but 
still satisfy the same formulas. For example, consider the models (M, s), 


(. Ms'), and (X, si) in Figure 1.7 As we now show, they satisfy the same 
formulas. We actually prove something even stronger. We show that all 
of ( M,s ), (M,t), ( M',s'), (X, .si), (M, S2), and (X, S3) satisfy the same 
formulas, as do all of ( M,u ), ( M,w ), (. M',w'), (N,w\), and (N,w 2 ). For 
the purposes of the proof, call the models in the first group green , and 
the models in the second group red. We now show, by induction on the 
structure of formulas, that all green models satisfy the same formulas, as 
do all red models. For primitive propositions, this is immediate. And if two 
models of the same colour agree on two formulas, they also agree on their 
negations and their conjunctions. The other formulas we need to consider 
are knowledge formulas. Informally, the argument is this. Every agent 
considers, in every pointed model, both green and red models possible. So 
his knowledge in each pointed model is the same. We now formalise this 
reasoning. 


Definition 1.9 (Bisimulation) 

Given models M = (S,R,V) and M 1 = (S', R',V'), a non-empty relation 
91 C 5 x S' is a bisimulation between M and M' iff for all s e 5 and s' E S' 
with (s, s') E 91: 


V(s)(p) = V'(s')(p) for all p E At; 

for all a E Ag and all t E 5, if R a st , then there is a t 7 E S' such that 
R' a s't' and (t, t!) E 91; 
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• for all a £ Ag and all t' £ S', if R' a s't', then there is a t £ S such that 
R a st and {t,t') £ JH. 

We write (M, s)iA(M', s') iff there is a bisimulation between M and M' 
linking s and s'. If so, we call (M, -s) and (M', s') bisimilar. H 

Figure |1.7| illustrates some bisimilar models. In terms of the models 



Figure 1.7: Bisimilar models. 


of Figure 1.7 , we have M,sUtM',s', M, sdN, s\, etc. We are interested 
in bisimilarity because, as the following theorem shows, bisimilar models 
satisfy the same formulas involving the operators K a and Ca- 

Theorem 1.2 (Preservation under bisimulation) 

Suppose that (M, s)ti(M / , s'). Then, for all formulas p £ L ck, we have 

M, s |= ip M ', s' |= ip. -\ 


The proof of the theorem proceeds by induction on the structure of formu¬ 
las, much as in our example. We leave the details to the reader. 


Note that Theorem 1.2 does not claim that distributed knowledge is 
preserved under bisimulation, and indeed, it is not, i.e., Theorem |1.2| does 
not hold for a language with Da as an operator. Figure |1.8| provides 
a witness for this. We leave it to the reader to check that although 
(M,s)t±(N,s i) 
have (M, s) \= - 


for the two pointed models of Figure 1.8 we nevertheless 
" D {a,b}P and (N,s i) |= D {afi} p. 


We can, however, generalise the notion of bisimulation to that of a group 
bisimulation and ‘recover’ the preservation theorem, as follows. If A C Ag, 
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Figure 1.8: Two bisimilar models that do not preserve distributed know¬ 
ledge. 


s and t are states, then we write R,Ast if A = {a \ R a st}. That is, R,Ast 
holds if the set of agents a for which s and t are a-connected is exactly A. 
( M, s ) and (M' , s') are group bisimilar, written (M, s)Ct gr 0 up{M' , s'), if the 
conditions of Definition 1.9 are met when every occurrence of an individual 
agent a is replaced by the group A. Obviously, being group bisimilar implies 
being bisimilar. Note that the models ( M,s ) and (IV, si) of Figure 1.8 are 


bisimilar, but not group bisimilar. The proof of Theorem 1.3 is analogous 
to that of Theorem 11.21 


Theorem 1.3 (Preservation under bisimulation) 

Suppose that (M, s)td group (M / , s'). Then, for all formulas p E L cdk, 
have 


M, s j= ip M ', s' j= <p. 


we 

H 


1.2.3 Expressivity and Succinctness 

If a number of formal languages can be used to model similar phenomena, 
a natural question to ask is which language is ‘best’. Of course, the answer 
depends on how ‘best’ is measured. In the next section, we compare vari¬ 
ous languages in terms of the computational complexity of some reasoning 
problems. Here, we consider the notions of expressivity (what can be ex¬ 
pressed in the language?) and succinctness (how economically can one say 
it?). 

Expressivity 

To give an example of expressivity and the tools that are used to study it, we 
start by showing that finiteness of models cannot be expressed in epistemic 
logic, even if the language includes operators for common knowledge and 
distributed knowledge. 






22 


CHAPTER 1. INTRODUCTION 


Theorem 1.4 

There is no formula ip G L cdk such that, for all 55-models M = ( S , R, V), 

M \= ip iff S' is finite -| 


Proof 


Consider the two models M and M' of Figure 1.9 


Obviously, 


a, b 



P p P p 



Figure 1.9: A finite and an infinite model where the same formulas are 
valid. 

M is finite and M' is not. Nevertheless, the two models are easily seen to 
be group bisimilar, so they cannot be distinguished by epistemic formulas. 
More precisely, for all formulas ip G L cdk, we have M, s |= <p iff M', si |= ip 
iff M' , S 2 |= ip iff M'. s n j= (p for some n G N, and hence M \= <p iff M' |= tp. 
H 


It follows immediately from Theorem 1.4 that finiteness cannot be ex¬ 
pressed in the language L cdk in a class X of models containing 55. 

We next prove some results that let us compare the expressivity of two 
different languages. We first need some definitions. 


Definition 1.10 

Given a class X of models, formulas and ip 2 are equivalent on X, written 
p i ip 2 , if, for all ( M,s ) G X, we have that M, s |= p>\ iff M, s |= tp 2 - 

Language l _2 is at least as expressive as Li on X, written Li l _2 if, for 
every formula ip\ G Li, there is a formula (p 2 S L 2 such that (p± =x <P 2 ■ Li 
and L 2 are equally expressive on X if Li L 2 and L 2 l_i. If Li L 2 
but L 2 Li, then L 2 is more expressive than l_i on X , written l_i \Zx L 2 H 


Note that if y C X, then Li L 2 implies Li Cy L 2 , while Li L 2 
implies Li x L 2 . Thus, the strongest results that we can show for the 
classes of models of interest to us are Li \_ 2 and Li ^55 L 2 

With these definitions in hand, we can now make precise that common 
knowledge ‘really adds’ something to epistemic logic. 
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Theorem 1.5 

L K Eye L ck and La Es5 L ck- d 


Proof Since La C \_ck , it is obvious that La Eye L ck- To show that 
L ck Es5 La, consider the sets of pointed models A4 = {(M n , si) | n £ N} 
and A f = {(N n , t±) \ n G N} shown in Figure 1.10 The two models M n and 
N n differ only in (M n ,s n + 1 ) (where p is false) and (N n ,t n +i) (where p is 
true). In particular, the first n — 1 states of (M n ,s i) and (N n ,t\) are the 
same. As a consequence, it is easy to show that, 

for all n € N and cp € Lk with d(p) < n, (M n , si) |= tp iff (N n , t\) |= p>. 

( 1 . 2 ) 

Clearly AA |= Ci a ^y^p while M \= ^Cuj-A-'p. If there were a formula 
<p 6 La equivalent to C'{ a j,}~ , p, then we would have A4 j= tp while M |= -«p. 
Let d = d(<p ), and consider the pointed models (M^ +1 ,si) and (jV^+i, t\). 
Since the first is a member of A4 and the second of Af, the pointed models 
disagree on Cr a b j^p; however, by (1.2), they agree on tp. This is obviously 

L 


a contradiction, therefore a formu 
does not exist. 


a cp e L that is equivalent to C^ a ^^p 


Mi 


M 2 


M 3 




Figure 1.10: Models M n and N n . The atom p is only true in the pointed 
models (N n ,s n +i). 


H 

The next result shows, roughly speaking, that distributed knowledge is 
not expressible using knowledge and common knowledge, and that common 
knowledge is not expressible using knowledge and distributed knowledge. 

Theorem 1.6 

(a) La Eye Lda an d La %S5 L dk] 

(b) Lca Ess Lda; 
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(c) L DK 2-S5 L CK', 

(d) L ck E/c \-cdk and L C dk £ss L ck', 

(e) L dk E/c L cdk and L cdk E.S5 L dk- d 


Proof For part (a), holds trivially. We use the models in Figure [L8| to 
show that L dk E.S 5 L k- Since (M, s)C?(N, si), the models verify the same 
L-formulas. However, \-dk discriminates them: we have (M, s) (= —>D^ ab yp, 
while (N, si) \= D^ ab yp. Since (M, s) and (N, si) also verify the same Lcx- 
formulas, part (3) also follows. 

For part (b), observe that (1.2) is also true for all formulas ip E L dk, 
so the formula Cr a b }—ip E L ck is not equivalent to a formula in Lda- 
Part (c) is proved using exactly the same models and argument as part 

(a). 


For part (d), C is obvious. To show that L cdk E-S 5 L dk, we can use 
the models and argument of part (b). Similarly, for part (e), C is obvious. 
To show that \~cdk Ess L dk, we can use the models and argument of part 
(a). H 


We conclude this discussion with a remark about distributed knowledge. 
We informally described distributed knowledge in a group as the knowledge 
that would obtain were the agents in that group able to communicate. 
However, Figure 1.8 shows that this intuition is not quite right. First, 
observe that both a and b know the same formulas in (. M,s ) and (N,s\); 
they even know the same formulas in (M, s) and (IV, si). That is, for all 
ip E \-k, we have 


(M, s) b= KaP iff (M, s) \= K b ip iff (IV, Sl ) |= K a ip iff ( N , Sl ) |= K b p 


But if both agents possess the same knowledge in (IV, si), how can 
communication help them in any way, that is, how can it be that there 
is distributed knowledge (of p ) that no individual agent has? Similarly, if 
a has the same knowledge in (M, s) in (IV, si), and so does b , why would 
communication in one model ( N ) lead them to know p, while in the other, 
it does not? Semantically, one could argue that in sq agent a could ‘tell’ 
agent b that t-z ‘is not possible’, and b could ‘tell’ a that t\ ‘is not possible’. 
But how would verify the same formulas? This observation has led some 
researchers to require that distributed knowledge be interpreted in what 
are called bisimulation contracted models (see the notes at the end of the 
chapter for references). Roughly, a model is bisimulation contracted if it 
does not contain two points that are bisimilar. Model M of Figure |1.8| is 
bisimulation contracted, model N is not. 
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Succinctness 

Now suppose that two languages Li and l _2 are equally expressive on A, 
and also that their computational complexity of the reasoning problems for 
them is equally good, or equally bad. Could we still prefer one language 
over the other? Representational succinctness may provide an answer here: 
it may be the case that the description of some properties is much shorter 
in one language than in the other. 

But what does ‘much shorter’ mean? The fact that there is a formula 
Li whose length is 100 characters less than the shortest equivalent formula 
in l _2 (with respect to some class X of models) does not by itself make l_i 
much more succinct that l_ 2 - 

We want to capture the idea that Li is exponentially more succinct than 
l_ 2 . We cannot do this by looking at just one formula. Rather, we need a 
sequence of formulas aq, a 2 , « 3 ,... in Lq, where the gap in size between a n 
and the shortest formula equivalent to a n in l _2 grows exponentially in n. 
This is formalised in the next definition. 

Definition 1.11 (Exponentially more succinct) 

Given a class X of models, Li is exponentially more succinct than 1_2 on X 
if the following conditions hold: 

(a) for every formula /3 G l_ 2 , there is a formula a £ Li such that a =x 
and | a \ < \ f3 \. 

(b) there exist Aq, Aq > 0, a sequence aq, aq,... of formulas in Lq, and a 
sequence /3q, /? 2 ,... of formulas in L 2 such that, for all n, we have: 

(i) \a n \<ki n; 

(h) | fin | >2 fc ^; 

(iii) f3 n is the shortest formula in L 2 that is equivalent to a n on X.~\ 

In words, l_q is exponentially more succinct than L 2 if, for every formula 
/? £ L 2 , there is a formula in l_q that is equivalent and no longer than /3, 
but there is a sequence oq, cc 2 , • • • of formulas in l_q whose length increases 
at most linearly, but there is no sequence /3q, /5 2 ,... of formulas in l _2 such 
that f3 n is the equivalent to a n and the length of the formulas in the latter 
sequence is increasing better than exponentially. 

We give one example of succinctness results here. Consider the language 
Lek■ Of course, Ea can be defined using the modal operators Kj for i £ A. 
But, as we now show, having the modal operators Ea in the language makes 
the language exponentially more succinct. 



26 


CHAPTER 1. INTRODUCTION 


Theorem 1.7 

The language L ek is exponentially more succinct than L/^ on A, for all X 
between K, and 55. H 

Proof Clearly, for every formula a in (L) k, there is an equivalent 
formula in L ek that is no longer than a, namely, a itself. Now consider 
the following two sequences of formulas: 

“n = ^ E {a,b}^ P 


and 


/3i = ^{K a -^p A K b ^p), and f3 n = -‘(K a -‘/3 n -i A K b ^/3 n -i). 

If we take | Eat | = | A | + \ip\, then it is easy to see that | a n |= 2n + 3, so 
| a n | is increasing linearly in n. On the other hand, since | fi n |> 2 | f5 n -\ |, 
we have | f3\> 2 n . It is also immediate from the definition of £-{ a ,b} that (3 n 
is equivalent to a n for all classes X between /C and 55. To complete the 
proof, we must show that there is no formula shorter than f3 n in that is 
equivalent to a n . This argument is beyond the scope of this book; see the 
notes for references. H 


1.2.4 Reasoning problems 

Given the machinery developed so far, we can state some basic reasoning 
problems in semantic terms. They concern satisfiability and model checking. 
Most of those problems are typically considered with a specific class of 
models and a specific language in mind. So let X be some class of models, 
and let L be a language. 

Decidability Problems 

A decidability problem checks some input for some property, and returns 
‘yes’ or ‘no’. 

Definition 1.12 (Satisfiability) 

The satisfiability problem for X is the following reasoning problem. 


Problem: 

satisfiability in X, denoted SAT^-. 

Input: 

a formula cp € L. 

Question: 

does there exist a model Mel and a state s G 


V(M) such that M, s = pi 

Output: 

‘yes’ or ‘no’. 
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Obviously, there may well be formulas that are satisfiable in some 
Kripke model (or generally, in a class T), but not in 55 models. Satis¬ 
fiability in X is closely related to the problem of validity in X, due to the 
following equivalence: (p is valid in X iff —up is not satisfiable in X. 


Problem: 

validity in X , denoted VAL^. 

Input: 

a formula p £ L. 

Question: 

is it the case that X = pi 

Output: 

‘yes’ or ‘no’. 


The next decision problem is computationally and conceptually simpler 
than the previous two, since rather than quantifying over a set of models, 
a specific model is given as input (together with a formula). 

Definition 1.13 (Model checking) 

The model checking problem for X is the following reasoning problem: 


Problem: 

Model checking in X, denoted modcheck^-. 

Input: 

a formula <p £ L and a pointed model (XI, s ) with 


M £ X and s £ V(M). 

Question: 

is it the case that XI, s = pi 

Output:: 

‘yes’ or ‘no’. 


The field of computational complexity is concerned with the question 
of how much of a resource is needed to solve a specific problem. The 
resources of most interest are computation time and space. Computational 
complexity then asks questions of the following form: if my input were to 
increase in size, how much more space and/or time would be needed to 
compute the answer? Phrasing the question this way already assumes that 
the problem at hand can be solved in finite time using an algorithm, that is, 
that the problem is decidable. Fortunately, this is the case for the problems 
of interest to us. 


Proposition 1.1 (Decidability of SAT and modcheck) 

If X is one of the model classes defined in Definition 1.7 (XI, s) £ X, and 
(p is a formula in one of the languages defined in Definition 0 then both 
SAT;r (<£>) and modcheck^ ((XI, s), p) are decidable. H 


In order to say anything sensible about the additional resources that an 
algorithm needs to compute the answer when the input increases in size, 
we need to define a notion of size for inputs, which in our case are formulas 
and models. Formulas are by definition finite objects, but models can in 
principle be infinite (see, for instance, Figure [L6|). The following fact is the 
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key to proving Fact 0 For a class of models X, let J~in(X) C X be the 
set of models in X that are finite. 


we have, for all p G 


Proposition 1.2 (Finite model p 

For all classes of models in Definition 


ifop 

1.7 


3rty) 

and languages L in Definition 


1.1 


X j= p iff J-in(X) |= p. 


Fact 1.2 does not say that the models in X and the finite models in X 
are the same in any meaningful sense; rather, it says that we do not gain 
valid formulas if we restrict ourselves to finite models. It implies that a 
formula is satisfiable in a model in X iff it is satisfiable in a finite model 
in X. It follows that in the languages we have considered so far, ‘having 
a finite domain’ is not expressible (for if there were a formula p that were 
true only of models with finite domains, then p would be a counterexample 


to Fact 1.2) 


Definition 1.14 (Size of Models) 

For a finite model M = (S', Ag , P At ), the size of M, denoted ||M||, is the 
sum of the number of states (| 5 |, for which we also write | M |) and the 
number of pairs in the accessibility relation (| R a |) for each agent a G Ag.H 

We can now strengthen Fact |1.2| as follows. 


Proposition 1.3 

For all classes of models in Definition 1.7 and languages L in Definition 1.11 
we have, for all p G L, p is satisfiable in X iff there is a model M G X such 
that | D(M) |< 2^1 and p is satisfiable in M. H 

The idea behind the proof of Proposition |1.3| is that states that ‘agree’ on 
all subformulas of p can be ‘identified’. Since there are only | p | subformulas 
of p, and 2^1 truth assignments to these formulas, the result follows. Of 
course, work needs to done to verify this intuition, and to show that an 
appropriate model can be constructed in the right class X. 

To reason about the complexity of a computation performed by an 
algorithm, we distinguish various complexity classes. If a deterministic al¬ 
gorithm can solve a problem in time polynomial in the size of the input, the 
problem is said to be in P. An example of a problem in P is to decide, given 
two finite Kripke models M\ and M 2 , whether there exists a bisimulation 
between them. Model checking for the basic multi-modal language is also 


in P; see Proposition 1.4 


In a nondeterministic computation, an algorithm is allowed to ‘guess’ 
which of a finite number of steps to take next. A nondeterministic algorithm 
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for a decision problem says ‘y es ’ or accepts the input if the algorithm says 
‘yes’ to an appropriate sequence of guesses. So a nondeterministic algorithm 
can be seen as generating different branches at each computation step, and 
the answer of the nondeterministic algorithm is ‘yes’ iff one of the branches 
results in a ‘yes’ answer. 

The class NP is the class of problems that are solvable by a nondeter¬ 
ministic algorithm in polynomial time. Satisfiability of propositional logic is 
an example of a problem in NP: an algorithm for satisfiability first guesses 
an appropriate truth assignment to the primitive propositions, and then 
verifies that the formula is in fact true under this truth assignment. 

A problem that is at least as hard as any problem in NP is called NP- 
hard. An NP-hard problem has the property that any problem in NP can be 
reduced to it using a polynomial-time reduction. A problem is NP -complete 
if it is both in NP and NP-hard; satisfiability for propositional logic is well 
known to be NP-complete. For an arbitrary complexity class C, notions of 
C-hardness and C-completeness can be similarly defined. 

Many other complexity classes have been defined. We mention a few 
of them here. An algorithm that runs in space polynomial in the size of 
the input it is in PS PACE. Clearly if an algorithm needs only polynomial 
time then it is in polynomial space; that is P C PSPACE. In fact, we also 
have NP C PSPACE. If an algorithm is in NP, we can run it in polynomial 
space by systematically trying all the possible guesses, erasing the space 
used after each guess, until we eventually find one that is the ‘right’ guess. 
EXPTIME consists of all algorithms that run in time exponential in the 
size of the input; NEXPTIME is its nondeterministic analogue. We have P 
C NP C PSPACE C EXPTIME C NEXPTIME. One of the most important 
open problems in computer science is the question whether P = NP. The 
conjecture is that the two classes are different, but this has not yet been 
proved; it is possible that a polynomial-time algorithm will be found for 
an NP-hard problem. What is known is that P / EXPTIME and NP / 
NEXPTIME. 

The complement P of a problem P is the problem in which all the 
‘yes’ and ‘no’ answers are reversed. Given a complexity class C, the class 
co-C is the set of problems for which the complement is in C. For every 
deterministic class C, we have co-C = C. For nondeterministic classes, a class 
and its complement are, in general, believed to be incomparable. Consider, 
for example, the satisfiability problem for propositional logic, which, as we 
noted above, is NP-complete. Since a formula ip is valid if and only if —up is 
not satisfiable, it easily follows that the validity problem for propositional 
logic is co-NP-complete. The class of NP-complete and co-NP-complete 
problems are believed to be distinct. 
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We start our summary of complexity results for decision problems in 
modal logic with model checking. 

Proposition 1.4 

Model checking formulas in L(At, Op,Ag), with Op = {K a \ a £ Ag}, in 
finite models is in P. H 

Proof We now describe an algorithm that, given a model M = (S , i? Ag , 
U At ) and a formula ip £ L, determines in time polynomial in \ip\ and ||M|| 
whether M, s \= ip. Given (/?, order the subformulas tp\,... p> m of p> in such 
a way that, if ! p t is a subformula of p>j, then i < j. Note that m < \ip\. We 
claim that 

(*) for every k < ?n, we can label each state s in A I with either 
ipj (if ipj if true at s) or —i <pj (otherwise), for every j < k, in 
fc||M|| steps. 

We prove (*) by induction on m. If k = 1, ip m must be a primitive propo¬ 
sition, and obviously we need only \M\ < \\M\\ steps to label all states as 
required. Now suppose (*) holds for some k < m, and consider the case 
k + 1. If ipk+i is a primitive proposition, we reason as before. If <pk+i is 
a negation, then it must be ~npj for some j < k. Using our assumption, 
we know that the collection of formulas </q,..., ipk can be labeled in M in 
Ai||Af|| steps. Obviously, if we include ipk+i = -'Tj i n the collection of for¬ 
mulas, we can do the labelling in k more steps: just use the opposite label 
for ipk+i as used for ipi. So the collection ip i,..., ipk+i can be labelled in 
M in at (k + l)||Af|| steps, are required. Similarly, if ipk+i = <pi A ipj, with 
i,j < k, a labelling for the collection <pi ,..., <£>fc+i needs only ( k + 1)||A4|| 
steps: for the last formula, in each state s of M, the labelling can be com¬ 
pleted using the labellings for ipi and ipj. Finally, suppose ipk+i is of the 
form K a ipj with j < k. In this case, we label a state s with K a Tj iff each 
state t with R a st is labelled ipj. Assuming the labels (pj and —npj are al¬ 
ready in place, this can be done in | R a (s) |< \\M || steps. H 

Proposition |1.4| should be interpreted with care. While having a poly¬ 
nomial-time procedure seems attractive, we are talking about computation 
time polynomial in the size of the input. To model an interesting scenario 
or system often requires ‘big models’. Even for one agent and n primitive 
propositions, a model might consist of 2 n states. Moreover, the procedure 
does not check properties of the model either, for instance whether it be¬ 
longs to a given class X. 

We now formulate results for satisfiability checking. The results de¬ 
pend on two parameters: the class of models considered (we focus on 
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/C, T, 54,/CD45 and 55) and the language. Let Ag =1 consist of only one 
agent, let Ag >1 ^ 0 be an arbitrary set of agents, and let Ag >2 be a set of 
at least two agents. Finally, let Op = {K a \ a € Ag}. 

Theorem 1.8 (Satisfiability) 

The complexity of the satisfiability problem is 

1. NP-complete if X e {/CP45,55} and L = L(At, Op, Ag =1 ); 

2. PS PACE-complete if 

(a) X 6 {1C, T, 54} and L = L(At, Op, Ag >1 ), or 

(b) X 6 {IC'D 45,55} and L = L(At, Op, Ag >2 ); 

3. EXPTIME-complete if 

(a) X € {1C, T and L = L(At, Op U {C}, Ag >x ), or 

(b) X € {54, KV 45,55} and L = L(At, Op U {C}, Ag> 2 ). H 


From the results in Theorem 1.8 


it follows that the satisfiability prob¬ 
lem for logics of knowledge and belief for one agent, 55 and KID 45, is 
exactly as hard as the satisfiability problem for propositional logic. If we 
do not allow for common knowledge, satisfiability for the general case is 
PSPACE-complete, and with common knowledge it is EXPTIME-complete. 
(Of course, common knowledge does not add anything for the case of one 
agent.) 

For validity, the consequences of Theorem 1.8 are as follows. We re¬ 
marked earlier that if satisfiability (in X) is in some class C, then validity 
is in co-C. Hence, checking validity for the cases in item[l]is co-NP-complete. 
Since co-PSPACE = PSPACE, the validity problem for the cases in item[2]is 
PSPACE-complete, and, finally, since co-EXPTIME = EXPTIME, the valid¬ 
ity problem for the cases in item [3] is EXPTIME-complete. What these re¬ 
sults on satisfiability and validity mean in practice? Historically, problems 
that were not in P were viewed as too hard to deal with in practice. How¬ 
ever, recently, major advances have been made in finding algorithms that 
deal well with many NP-complete problems, although no generic approaches 
have been found for dealing with problems that are co-NP-complete, to say 
nothing of problems that are PSPACE-complete and beyond. Nevertheless, 
even for problems in these complexity classes, algorithms with humans in 
the loop seem to provide useful insights. So, while these complexity results 
suggest that it is unlikely that we will be able to find tools that do auto¬ 
mated satisfiability or validity checking and are guaranteed to always give 
correct results for the logics that we focus on in this book, this should not 
be taken to say that we cannot write algorithms for satisfiability, validity, 
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or model checking that are useful for the problems of practical interest. 
Indeed, there is much work focused on just that. 

1.2.5 Axiomatisation 

In the previous section, the formalisation of reasoning was defined around 
the notion of truth: X (= p meant that p is true in all models in X. In 
this section, we discuss a form of reasoning where a conclusion is inferred 
purely based on its syntactic form. Although there are several ways to do 
this, in epistemic logic, the most popular way to define deductive inference 
is by defining a Hilbert-style axiom system. Such systems provide a very 
simple notion of formal proofs. Some formulas are valid merely because 
they have a certain syntactic form. These are the axioms of the system. 
The rules of the system say that one can conclude that some formula is 
valid due to other formulas being valid. A formal proof or derivation is a 
list of formulas, where each formula is either an axiom of the system or can 
be obtained by applying an inference rule of the system to formulas that 
occur earlier in the list. A proof or derivation of p is a derivation whose 
last formula is p. 


Basic system 

Our first definition of such a system will make the notion more concrete. 
We give our definitions for a language where the modal operators are K a 
for the agents in some set Ag, although many of the ideas generalise to a 
setting with arbitrary modal operators. 

Definition 1.15 (System K) 

Let L = L(At,Op,Ag), with Op = {K a \ a £ Ag}. The axiom system K 
consists of the following axioms and rules of inference: 


1 All substitution instances of propositional tautologies. 
K K a (p -> ijj) (K a p -f K a ij)) for all a £ Ag. 

MP From p and p —»• 'ip infer •*/’• 

Nec From p infer K a p. 


H 


Here, formulas in the axioms 1 and K have to be interpreted as ax¬ 
iom schemes: axiom K for instance denotes all formulas {K a (p —> ip) —>• 
[K a p —> K a 'ip s ) | p, ip £ L}. The rule MP is also called modus ponens ; Nec 
is called necessitation. Note that the notation for axiom K and the axiom 
system K are the same: the context should make clear which is intended. 

To see how an axiom system is actually used, we need to define the 
notion of derivation. 
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Definition 1.16 (Derivation) 

Given a logical language L, let X be an axiom system with axioms Axi,..., 
Ax n and rules Rui,... Ru^. A derivation of p in X is a finite sequence 
ipi,... ,<p m of formulas such that: (a) p m = p , and (b) every p t in the 
sequence is either an instance of an axiom or else the result of applying a 
rule to formulas in the sequence prior to pi- For the rules MP and Nec, 
this means the following: 

MP p h = pj -A pi, for some h,j < i. 

That is, both pj and pj —> pi occur in th sequence before p%. 

Nec pi = K a pj, for some j < i; 

If there is a derivation for p in X we write X b p, or bx p , or, if the system 
X is clear from the context, we just write b p. We then also say that p is 
a theorem of X, or that X proves p. The sequence p \,..., p m is then also 
called a proof of p in X. H 

Example 1.6 (Derivation in K) 

We first show that 


K b K a (p Aip) {K a p A Ka'tf). (1.3) 

We present the proof as a sequence of numbered steps (so that the formula 
Pi in the derivation is given number I). This allows us to justify each step 
in the proof by describing which axioms, rules of inference, and previous 
steps in the proof it follows from. 


1 . 

(p A if) —> p 

1 

2 . 

K a ((p Aip) -A p) 

Nec, 1 

3. 

I<a{(p A if) -A p) -7 (Ka(p A VO -A K a p) 

K 

4. 

K a (p A if) -7 K a p 

MP, 2, 3 

5. 

(p A if) — > if 

1 

6 . 

K a {{p a VO -t VO 

Nec, 5 

7. 

K a ((p A VO -A VO -> (K a (p A VO — > A-aVO 

K 

8. 

K a (p A VO — >■ A'aV’ 

MP, 6 , 7 

9. 

(K a (p A VO ~^ y K a p) y 



(( K a (p A 'Ip) -A Kai 0 {K a (p A VO -» (K a p A K a V’))) 

1 

10 . 

(A a (</? A V’) A' a ^) -A (A a (</? A VO “A (A a <b A K a if)) 

MP, 4, 9 

11. 

K a (p A VO -A (Aa¥> A XaVO 

MP,8,10 


Lines 1, 5, and 9 are instances of propositional tautologies (this can be 


checked using a truth table). Note that the tautology on line 9 is of the 
form (a —> f$) —> ((a —> 7 ) —> (a —> (/3 A 7 ))). A proof like that above 
may look cumbersome, but it does show what can be done using only the 
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axioms and rules of K. It is convenient to give names to properties that 
are derived, and so build a library of theorems. We have, for instance that 
K h KCD, where KCD (‘K-over-conj unction-distribution’) is 

KCD K a (a A p)-> K a a and K a {a A 0) -> K a p. 

The proof of this follows steps 1-4 and steps 5-8, respectively, of the 
proof above. We can also derive new rules; for example, the following rule: 
CC (‘combine conclusions’) is derivable in K: 

CC from a —>• (3 and a —> 7 infer a —> (f3 A 7 ). 

The proof is immediate from the tautology on line 9 above, to which we 
can, given the assumptions, apply modus ponens twice. We can give a more 
compact proof of K a (p A ip) — > ( K a p A K a ip) using this library: 

1. K a (p Aip) K a p KCD 

2. K a (pAiP)^K a iP KCD 

3. K a (pAip) -A (K a pAK a ip) CC, 1, 2 H 

For every class X of models introduced in the previous section, we want 
to have an inference system X such that derivability in X and validity in 
X coincide: 

Definition 1.17 (Soundness and Completeness) 

Let L be a language, let X be a class of models, and let X be an axiom 
system. The axiom system is said to be 

1. sound for X and the language L if, for all formulas p 6 L, X h ip 
implies X j= <p; and 

2. complete for X and the language L if, for all formulas ip E L, X |= <p 
implies Xh^. 

We now provide axioms that characterize some of the subclasses of models 
that were introduced in Definition 11.71 

Definition 1.18 (More axiom systems) 

Consider the following axioms, which apply for all agents a € Ag: 


T. K a p p 
D. M a T 
B. p -A- K a M a p 

4. K a p -A- K a K a p 

5. -'Kpp -> K a -~K a p 
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A simple way to denote axiom systems is just to add the axioms that are 
included together with the name K. Thus, KD is the axiom system that 
has all the axioms and rules of the system K (1, K, and rules MP and 
Nec) together with D. Similarly, KD45 extends K by adding the axioms 
D, 4 and 5. System S4 is the more common way of denoting KT4, while 
S5 is the more common way of denoting KT45. If it is necessary to make 
explicit that there are m agents in Ag, we write K m , KD m , and so on. H 

Using S5 to model knowledge 

The system S5 is an extension of K with the so-called ‘properties of know¬ 
ledge’. Likewise, KD45 has been viewed as characterizing the ‘properties 
of belief’. The axiom T expresses that knowledge is veridical: whatever 
one knows, must be true. (It is sometimes called the truth axiom.) The 
other two axioms specify so-called introspective agents: 4 says that an agent 
knows what he knows (positive introspection), while 5 says that he knows 
what he does not know (negative introspection). As a side remark, we men¬ 
tion that axiom 4 is superfluous in S5; it can be deduced from the other 
axioms. 

All of these axioms are idealisations, and indeed, logicians do not claim 
that they hold for all possible interpretations of knowledge. It is only 
human to claim one day that you know a certain fact, only to find yourself 
admitting the next day that you were wrong, which undercuts the axiom 
T. Philosophers use such examples to challenge the notion of knowledge 
in the first place (see the notes at the end of the chapter for references to 
the literature on logical properties of knowledge). Positive introspection 
has also been viewed as problematic. For example, consider a pupil who is 
asked a question <p to which he does not know the answer. It may well be 
that, by asking more questions, the pupil becomes able to answer that (p 
is true. Apparently, the pupil knew ip, but was not aware he knew, so did 
not know that he knew ip. 

The most debatable among the axioms is that of negative introspection. 
Quite possibly, a reader of this chapter does not know (yet) what Moore’s 
paradox is (see Chapter 6), but did she know before picking up this book 
that she did not know that? 

Such examples suggest that a reason for ignorance can be lack of aware¬ 
ness. Awareness is the subject of Chapter 3 in this book. Chapter 2 also 
has an interesting link to negative introspection: this chapter tries to cap¬ 
ture what it means to claim ‘All I know is (/?’; in other words, it tries to give 
an account of ‘minimal knowledge states’. This is a tricky concept in the 
presence of axiom 5, since all ignorance immediately leads to knowledge! 

One might argue that ‘problematic’ axioms for knowledge should just 
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be omitted, or perhaps weakened, to obtain an appropriate system for 
knowledge, but what about the basic principles of modal logic: the axiom 
K and the rule of inference Nec. How acceptable are they for knowledge? 
As one might expect, we should not take anything for granted. K assumes 
perfect reasoners, who can infer logical consequences of their knowledge. 
It implies, for instance, that under some mild assumptions, an agent will 
know what day of the week July 26, 5018 will be. All that it takes to 
answer this question is that (1) the agent knows today’s date and what 
day of the week it is today, (2) she knows the rules for assigning dates, 
computing leap years, and so on (all of which can be encoded as axioms in 
an epistemic logic with the appropriate set of primitive propositions). By 
applying K to this collection of facts, it follows that the agent must know 
what day of the week it will be on July 26, 5018. Necessitation assumes 
agents can infer all S5 theorems: agent a, for instance, would know that 
Kb(Kbq A~^Kb(p —> Kbq )) is equivalent to (Ki/j A Mf/p)■ Since even telling 
whether a formula is propositionally valid is co-NP-complete, this does not 
seem so plausible. 

The idealisations mentioned in this paragraph are often summarised as 
logical omniscience-, our S5 agent would know everything that is logically 
deducible. Other manifestations of logical omniscience are the equivalence 
of K(ip A V’) and Kip A K V’, and the derivable rule in K that allows one 
to infer Kip —>• Ki/j from <p —> ijj (this says that agents knows all logical 
consequences of their knowledge). 

The fact that, in reality, agents are not ideal reasoners, and not logically 
omniscient, is sometimes a feature exploited by computational systems. 
Cryptography for instance is useful because artificial or human intruders 
are, due to their limited capacities, not able to compute the prime factors 
of a large number in a reasonable amount of time. Knowledge, security, 
and cryptographic protocols are discussed in Chapter 12 

Despite these problems, the S5 properties are a useful idealisation of 
knowledge for many applications in distributed computing and economics, 
and have been shown to give insight into a number of problems. The S5 
properties are reasonable for many of the examples that we have already 
given; here is one more. Suppose that we have two processors, a and b , and 
that they are involved in computations of three variables, x, y, and z. For 
simplicity, assume that the variables are Boolean, so that they are either 0 
or 1. Processor a can read the value of x and of y, and b can read y and z. 
To model this, we use, for instance, 010 as the state where x = 0 = z, and 
y = 1. Given our assumptions regarding what agents can see, we then have 
xiyizi ~ a X 2 ^ 2^2 iff x\ = X 2 and y\ = y 2 ■ This is a simple manifestation of 
an interpreted system, where the accessibility relation is based on what an 
agent can see in a state. Such a relation is an equivalence relation. Thus, an 
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interpreted system satisfies all the knowledge axioms. (This is formalised 
in Theorem |1 .9| (1) below.) 

While T has traditionally been considered an appropriate axiom for 
knowledge, it has not been considered appropriate for belief. To reason 
about belief, T is typically replaced by the weaker axiom D: —i.B a _L, which 
says that the agent does not believe a contradiction; that is, the agent’s 
beliefs are consistent. This gives us the axiom system KD45. We can 
replace D by the following axiom D' to get an equivalent axiomatisation 
of belief: 

D' : K a ip -> -i K a -np. 

This axioms says that the agent cannot know (or believe) both a fact and 
its negation. Logical systems that have operators for both knowledge and 
belief often include the axiom K a ip —> B a ip, saying that knowledge entails 
belief. 

Axiom systems for group knowledge 

If we are interested in formalising the knowledge of just one agent a, the 
language L(At, {K a }, Ag) is arguably too rich. In the logic S5i it can be 
shown that every formula is equivalent to a depth-one formula, which has 
no nested occurrences of K a . This follows from the following equivalences, 
all of which are valid in 55 as well as being theorems of S5: KKip ■h- Kip ; 
K^Kip 0 K(K(p\/ip ) -H- [Kip\J and Kfi-^KipS/if) -^Kip\/Kfi>. 
From a logical perspective things become more interesting in the multi¬ 
agent setting. 

We now consider axiom systems for the notions of group knowledge that 
were defined earlier. Not surprisingly, we need some additional axioms. 

Definition 1.19 (Logic of common knowledge) 

The following axiom and rule capture common knowledge. 


Fix. C at E A C at) ■ 

Ind. From ip — > Ea(iP A ip) infer ip — > Ca 


For each axiom system X considered earlier, let XC be the result of adding 

Fix and Ind to X. H 

The fixed point axiom Fix says that common knowledge can be viewed 
as the fixed point of an equation: common knowledge of ip holds if everyone 
knows both that ip holds and that ip is common knowledge. Ind is called the 
induction rule ; it can be used to derive common knowledge ‘inductively’. 
If it is the case that ip is ‘self-evident’, in the sense that if it is true, then 
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everyone knows it, and, in addition, if p is true, then everyone knows if>, we 
can show by induction that if p is true, then so is ('</> A <p) for all k. It 
follows that CaP> is true as well- Although common knowledge was defined 
as an ‘infinitary’ operator, somewhat surprisingly, these axioms completely 
characterize it. 

For distributed knowledge, we consider the following axioms for all A C 

Ag: 


W. K a p —> Dap if a E A. 

Kd- Da(<p —> if) —i► {Dap —> Da if)- 

Td- Dap —> p- 

Dd- ~'Da~'T- 

B d . P — > Da^Da^P- 

4 d . D A p -a D A D A p- 

5 D - -■ Dap —> Da^Dap- 


These axioms have to be understood as follows. It may help to think about 
distributed knowledge in a group A as the knowledge of a wise man, who 
has been told, by every member of A, what each of them knows. This is 
captured by axiom W. The other axioms indicate that the wise man has 
at least the same reasoning abilities as distributed knowledge to the system 
S5 m , we add the axioms W,Kd,Td 4d> and 5 d to the axiom system. 
For K m , we add only W and Kd- 

Proving Completeness 

We want to prove that the axiom systems that we have defined are sound 
and complete for the corresponding semantics; that is, that K is sound and 
complete with respect to /C, S5 is sound and complete with respect to 55, 
and so on. Proving soundness is straightforward: we prove by induction on 
k that any formula proved using a derivation of length k is valid. Proving 
completeness is somewhat harder. There are different approaches, but the 
common one involves to show that if a formula is not derivable, then there 
is a model in which it is false. There is a special model called the canonical 
model that simultaneously shows this for all formulas. We now sketch the 
construction of the canonical model. 

The states in the canonical model correspond to maximal consistent sets 
of formulas, a notion that we define next. These sets provide the bridge 
between the syntactic and semantic approach to validity. 

Definition 1.20 (Maximal consistent set) 

A formula p is consistent with axiom system X if we cannot derive —>p in X. 
A finite set {pi ,..., p n } of formulas is consistent with X if the conjunction 
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<pi A... Ap n is consistent with X. An infinite set T of formulas is consistent 
with X if each finite subset of T is consistent with X. Given a language L 
and an axiom system X, a maximal consistent set for X and L is a set T of 
formulas in L that is consistent and maximal, in the sense that every strict 
superset T 7 of F is inconsistent. H 

We can show that a maximal consistent set T has the property that, 
for every formula p E L, exactly one of p and —>p is in T. If both were 
in r, then T would be inconsistent; if neither were in T, then T would not 
be maximal. A maximal consistent set is much like a state in a Kripke 
model, in that every formula is either true or false (but not both) at a 
state. In fact, as we suggested above, the states in the canonical model can 
be identified with maximal consistent sets. 

Definition 1.21 (Canonical model) 

The canonical model for L and X is the Kripke model M = (S, R, V) defined 
as follows: 

• S is the set of all maximal consistent sets for X and L; 

• TR a A iff r|X" a C A, where r|iF a = {p \ K a p £ T}; 

• K(r)(p) = true iff p £ T. H 

The intuition for the definition of R a and V is easy to explain. Our 
goal is to show that the canonical model satisfies what is called the Truth 
Lemma: a formula p is true at a state T in the canonical model iff p £ T. 
(Here we use the fact that the states in the canonical model are actually sets 
of formulas—indeed, maximal consistent sets.) We would hope to prove this 
by induction. The definition of V ensures that the Truth Lemma holds for 
primitive propositions. The definition of R a provides a necessary condition 
for the Truth Lemma to hold for formulas of the form K a p. If I\ a p holds at 
a state (maximal consistent set) T in the canonical model, then p must hold 
at all states A that are accessible from T. This will be the case if T|/\ a C A 
for all states A that are accessible from T (and the Truth Lemma applies 
to p and A). 

The Truth Lemma can be shown to hold for the canonical model, as 
long as we consider a language that does not involve common knowledge 
or distributed knowledge. (The hard part comes in showing that if ~^K a p 
holds at a state T, then there is an accessible state A such that ~>p £ A. 
That is, we must show that the R a relation has ‘enough’ pairs.) In addition 
to the Truth Lemma, we can also show that the canonical model for axiom 
system X is a model in the corresponding class of models; for example, the 
canonical model for S5 is in 55. 
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Completeness follows relatively easily once these two facts are estab¬ 
lished. If a formula p G L cannot be derived in X then ~^p must be 
consistent with X, and thus can be shown to be an element of a maximal 
consistent set, say T. T is a state in the canonical model for X and L. By 
the Truth Lemma, —>p is true at T, so there is a model where p is false, 
proving the completeness of X. 

This argument fails if the language includes the common knowledge 
operator. The problem is that with the common knowledge operator in the 
language, the logic is not compact: there is a set of formulas such that all its 
finite subsets are satisfiable, yet the whole set is not satisfiable. Consider 
the set {E^p \ n G N} U {-*Cap}, where A C Ag is a group with at least 
two agents. Each finite subset of this set is easily seen to be satisfiable in 
a model in 55 (and hence in a model in any of the other classes we have 
considered), but the whole set of formulas is not satisfiable in any Kripke 
model. Similarly, each finite subset of this set can be shown to be consistent 
with S5C. Hence, by definition, the whole set is consistent with S5C (and 
hence all other axiom systems we have considered). This means that this 
set must be a subset of a maximal consistent set. But, as we have observed, 
there is no Kripke model where this set of formulas is satisfied. 

This means that a different proof technique is necessary to prove com¬ 
pleteness. Rather than constructing one large canonical model for all for¬ 
mulas, for each formula p, we construct a finite canonical model tailored 
to p. And rather than considering maximal consistent subsets to the set 
of all formulas in the language, we consider maximal consistent sets of the 
set of subformulas of p. 

The canonical model = (S v , R , V) for p and KC is defined as 
follows: 

• SL is the set of all maximal consistent sets of subformulas of p for 

KC; 

• TR a A iff (T|/\ a ) U {C A ip 1 CA'ip € r and a € A} C A. 

• K(T)(p) = true iff p G T. 

The intuition for the modification to the definition of R a is the following: 
Again, for the Truth Lemma to hold, we must have r|iv a C A, since if 
K a ip £ T, we want ip to hold in all states accessible from T. By the fixed 
point axiom, if Ca^P is true at a state s, so is EaCa^P', moreover, if a G A, 
then K a CAip is also true at s. Thus, if C'aV’ is true at T, Ca^P must also 
be true at all states accessible from T, so we must have {Ca'iP \ Ca^P £ T 
and a € A} C A. Again, we can show that the Truth Lemma holds for 
the canonical model for p and KC for subformulas of p\ that is, if ip is a 
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subformula of ip, then ip is true at a state T in the canonical model for ip 
and KC iff <p G T. 

We must modify this construction somewhat for axiom systems that 
contain the axiom 4 and/or 5. For axiom systems that contain 4, we 
redefine R a so that TR a A iff (r | K a )U{CA 4> I Ca^P G r and a G A}U{K a ip I 
K a ip G r} C A. The reason that we want {K a ip \ K a ip G T} C A is that if 
K a ip is true at the state T, so is K a K a ip, so K a ip must be true at all worlds 
accessible from T. An obvious question to ask is why we did not make this 
requirement in our original canonical model construction. If both K a ip and 
K a K a ip are subformulas of <p, then the requirement is in fact not necessary. 
For if K a il> G T, then consistency will guarantee that K a K a ip is as well, 
so the requirement that T\K a C A guarantees that Ka'ip G A. However, if 
K a ip is a subformula of ip but K a K a ip is not, this argument fails. 

For systems that contain 5, there are further subtleties. We illustrate 
this for the case of S5. In this case, we require that ri? a A iff {K a ip \ Ka'ip G 
T} = { Ka'ip | K a ip G A} and {Ca'P \ Ca'P G F and a G A} = {Ca^P \ Ca^P G 
A and a G A}. Notice that the fact that {K a ip \ Ka'ip G T} = {K a ip \ K a ip G 
A} implies that T\K a = A| K a . We have already argued that having 4 in the 
system means that we should have {K a ip \ K a ip G T} C {K a ip \ K a ip G A}. 
For the opposite inclusion, note that if K a ip ^ F, then -> Ka'ip should be 
true at the state T in the canonical model, so (by 5) K a ^K a ip is true at T, 
and —'Ka'ip is true at A if TR a A. But this means that Ka'ip (/ A (assuming 
that the Truth Lemma applies). Similar considerations show that we must 
have {Ca'P \ Ca'P’ G F and a G A} = {Ca^P \ Ca^P G A and a G A}, using 
the fact that -'Ca'P —> Ea~'Ca'P is provable in S5C. 

Getting a complete axionratisation for languages involving distributed 
knowledge requires yet more work; we omit details here. 

We summarise the main results regarding completeness of epistemic lo¬ 
gics in the following theorem. Recall that, for an axiom system X, the 
axiom system XC is the result of adding the axioms Fix and Ind to X. 
Similarly, XD is the result of adding the ‘appropriate’ distributed know¬ 
ledge axioms to X; specifically, it includes the axiom W, together with 
every axiom Yd for which Y is an axiom of X. So, for example, S5D has 
the axioms of S5 together with W, Kd, Td, 4d, and 5 d- 
Theorem 1.9 

If (At,Op,Ag), X is an axiom systems that includes all the axioms and 
rules of K and some (possibly empty) subset of {T, 4, 5, D}, and X is the 
corresponding class of Kripke models, then the following hold: 

1. if Op = {K a | a G Ag}, then X is sound and complete for X and L; 

2. if Op = {K a | a G Ag} U {Ca \ A C Ag}, then XC is sound and 
complete for X and L; 
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3. if Op = {K a | a e Ag} U {Da \ A C Ag}, then XD is sound and 
complete for X and L; 

4. if Op = {K a | a G Ag} U {C A \ A C Ag} U {D A | A C Ag}, then XCD 

is sound and complete for X and L. H 

1.3 Overview of the Book 

The book is divided into three parts: informational attitudes, dynamics, 
and applications. Part I, informational attitudes, considers ways that basic 
epistemic logic can be extended with other modalities related to knowledge 
and belief, such as “only knowing”, “awareness”, and probability. There 
are three chapters in Part I: 

Only Knowing Chapter 2, on only knowing, is authored by Gerhard 
Lakemeyer and Hector J. Levesque. What do we mean by ‘only knowing’? 
When we say that an agent knows p, we usually mean that the agent knows 
at least p, but possibly more. In particular, knowing p does not allow us 
to conclude that q is not known. Contrast this with the situation of a 
knowledge-based agent, whose knowledge base consists of p, and nothing 
else. Here we would very much like to conclude that this agent does not 
know q, but to do so requires us to assume that p is all that the agent knows 
or, as one can say, the agent only knows p. In this chapter, the logic of only 
knowing for both single and multiple agents is considered, from both the 
semantic and proof-theoretic perspective. It is shown that only knowing 
can be used to capture a certain form of honesty, and that it relates to a 
form of non-monotonic reasoning. 

Awareness Chapter 3, on logics where knowledge and awareness inter¬ 
act, is authored by Burkhard Schipper. Roughly speaking, an agent is 
unaware of a formula p if (p is not on his radar screen (as opposed to 
just having no information about cp, or being uncertain as to the truth of 
ip). The chapter discusses various approaches to modelling (un)awareness. 
While the focus is on axiomatisations of structures capable of modelling 
knowledge and awareness, structures for modelling probabilistic beliefs and 
awareness, are also discussed, as well as structures for awareness of un¬ 
awareness. 

Epistemic Probabilistic Logic Chapter 4, authored by Lorenz Derney 
and Joshua Sack, provides an overview of systems that combine probabil¬ 
ity theory, which describes quantitative uncertainty, with epistemic logic, 
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which describes qualitative uncertainty. By combining knowledge and prob¬ 
ability, one obtains a very powerful account of information and information 
flow. Three types of systems are investigated: systems that describe uncer¬ 
tainty of agents at a single moment in time, systems where the uncertainty 
changes over time, and systems that describe the actions that cause these 
changes. 

Part II on dynamics of informational attitudes considers aspects of how 
knowledge and belief change over time. It consists of three chapters: 

Knowledge and Time Chapter 5, on knowledge and time, is authored 
by Clare Dixon, Claudia Nalon, and Ram Ramanujam. It discusses the 
dynamic aspects of knowledge, which can be characterized by a combina¬ 
tion of temporal and epistemic logics. The chapter presents the language 
and axiomatisation for such a combination, and discusses complexity and 
expressivity issues. It presents two different proof methods (which apply 
quite broadly): resolution and tableaux. Levels of knowledge and the re¬ 
lation between knowledge and communication in distributed protocols are 
also discussed, and an automata-theoretic characterisation of the know¬ 
ledge of finite-state agents is provided. The chapter concludes with a brief 
survey on applications. 

Dynamic Epistemic Logic Chapter 6, on dynamic epistemic logic, is 
authored by Lawrence Moss. Dynamic Epistemic Logic (DEL) extends 
epistemic logic with operators corresponding to epistemic actions. The 
most basic epistemic action is a public announcement of a given sentence 
to all agents. In the first part of the chapter, a logic called PAL (public an¬ 
nouncement logic), which includes announcement operators, is introduced. 
Four different axiomatisations for PAL are given and compared. It turns 
out that PAL without common knowledge is reducible to standard epis¬ 
temic logic: the announcement operators may be translated away. However, 
this changes once we include common knowledge operators in the language. 
The second part of Chapter 6 is devoted to more general epistemic actions, 
such as private announcements. 

Dynamic Logics of Belief Change Chapter 7, on belief change, is 
authored by Johan van Benthem and Sonja Smets. The chapter gives an 
overview of current dynamic logics that describe belief update and revision. 
This involves a combination of ideas from belief revision theory and dyna¬ 
mic epistemic logic. The chapter describes various types of belief change, 
depending on whether the information received is ‘hard’ or ‘soft’. The 
chapter continues with three topics that naturally complement the setting 
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of single steps of belief change: connections with probabilistic approaches 
to belief change, long-term temporal process structure including links with 
formal learning theory, and multi-agent scenarios of information flow and 
belief revision in games and social networks. It ends with a discussion 
of alternative approaches, further directions, and windows to the broader 
literature. 

Part III considers applications of epistemic logic in various areas. It consists 
of five chapters: 

Model Checking Temporal Epistemic Logic Chapter 8, authored 
by Alessio Lomuscio and Wojciech Penczek, surveys work on model check¬ 
ing systems against temporal-epistemic specifications. The focus is on two 
approaches to verification: approaches based on ordered binary decision 
diagrams (OBDDs) and approaches based on translating specifications to 
propositional logic, and then applying propositional satisfiability checkers 
(these are called SAT-based approaches). OBDDs provide a compact repre¬ 
sentation for propositional formulas; they provide powerful techniques for 
efficient mode checking; SAT-based model checking is the basis for many 
recent symbolic approach to verification. The chapter also discusses some 
more advanced techniques for model checking. 

Epistemic Foundations of Game Theory Chapter 9, authored by Gi¬ 
acomo Bonanno, provides an overview of the epistemic approach to game 
theory. Traditionally, game theory focuses on interaction among intelligent, 
sophisticated and rational individuals. The epistemic approach attempts 
to characterize, using epistemic notions, the behavior of rational and intel¬ 
ligent players who know the structure of the game and the preferences of 
their opponents and who recognize each other’s rationality and reasoning 
abilities. The focus of the analysis is on the implications of common belief 
of rationality in strategic-form games and on dynamic games with perfect 
information. 

BDI Logics Chapter 10, on logics of beliefs, desires, and intentions 
(BDI), is authored by John-Jules Ch. Meyer, Jan Broersen and Andreas 
Herzig. Various formalisations of BDI in logic are considered, such as 
the approach of Cohen and Levesque (recast in dynamic logic), Rao and 
Georgeff’s influential BDI logic based on the branching-time temporal logic 
CTL*, the KARO framework, in which action together with knowledge (or 
belief) is the primary concept on which other agent notions are built, and 
BDI logics based on STIT (seeing to it that) logics, such as XSTIT. 
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Knowledge and Ability Chapter 11, authored by Thomas Agotnes, 
Valentin Goranko, Wojciech Jamroga and Michael Wooldridge, relates epis- 
temic logics to various logics for strategic abilities. It starts by discussing 
approaches from philosophy and artificial intelligence to modelling the in¬ 
teraction of agents knowledge and abilities, and then focuses on concurrent 
game models and the alternating-time temporal logic ATL. The authors 
discuss how ATL enables reasoning about agents’ coalitional abilities to 
achieve qualitative objectives in concurrent game models, first assuming 
complete information and then under incomplete information and uncer¬ 
tainty about the structure of the game model. Finally, extensions of ATL 
that allow explicit reasoning about the interaction of knowledge and strate¬ 
gic abilities are considered; this leads to the notion of constructive know¬ 
ledge. 

Knowledge and Security Chapter 12, on knowledge and security, is au¬ 
thored by Riccardo Pucella. A persistent intuition in the field of computer 
security says that epistemic logic, and more generally epistemic concepts, 
are relevant to the formalisation of security properties. What grounds this 
intuition is that much work in the field is based on epistemic concepts. 
Confidentiality, integrity, authentication, anonymity, non-repudiation, all 
can be expressed as epistemic properties. This survey illustrates the use 
of epistemic concepts and epistemic logic to formalise a specific security 
property, confidentiality. Confidentiality is a prime example of the use of 
knowledge to make a security property precise. It is explored in two large 
domains of application: cryptographic protocol analysis and multi-level se¬ 
curity systems. 


1.4 Notes 


The seminal work of the philosopher Jaakko Hintikka (1962) is typically 


taken as the starting point of modern epistemic logic. Two texts on epis- 



ference on Theoretical Aspects of Reasoning About Knowledge (TARK), 
later renamed to “Theoretical Aspects of Rationality and Knowledge, was 


started (1986); in the mid-1990s, the Conference on Logic and Foundations 


of Game and Decision Theory (LOFT) (1996) began. These two conferences 























46 


CHAPTER 1. INTRODUCTION 


continue to this day, bringing together computer scientists, economists, and 
philosophers. 

Our chapter is far from the first introduction to epistemic logic. The 
textbooks by |Fagin et al. (1995) and by Meyer and van der Hoek (1995) each 
come with an introductory chapter; more recent surveys and introductions 


can be found in the book by van Ditmarsch, van der Hoek, and Kooi (2007 


Chapter 2), in a paper on epistemic logic and epistemology by Holliday 


(2014|, in the chapter by [Bezhanishvili and van der Hoek (2014), which 
provides a survey of semantics for epistemic notions, and in online resources 
(|Hendricks and Symons||2014 Wikipedia). 


Halpern (1987) provides an introduction to applications of knowledge 


in distributed computing; the early chapters of the book by Perea (2012) 
give an introduction to the use of epistemic logic in game theory. As we 
already said, more discussion of the examples in Section 1.1 can be found in 
the relevant chapters. Public announcements are considered in Chapter 6; 
protocols are studied in Chapter 12 and, to some extent, in Chapter 5; 
strategic ability is the main topic of Chapter 11; epistemic foundations of 
game theory are considered in Chapter 9; distributed computing is touched 
on in Chapter 5, while examples of model checking distributed protocols 
are given in Chapter 8. 

The use of Kripke models puts our approach to epistemic logic firmly 
in the tradition of modal logic, of which Kripke is one of the founders 
(see Kripke (1963)). Modal logic has become the framework to reason not 
only about notions as knowledge and belief, but also about agent attitudes 
such as desires and intentions (Rao and Georgeff. 1991), and about notions 


like time (Emerson, 1990), action (Harel, 11984), programs (Fischer and 


Ladner, 1979), reasoning about obligation and permission (von Wright 


1951), and combinations of them. Modern references to modal logic include 


the textbook by 

Blackburn, de Rijke, and Venerna 

(2001 

) and the handbook 

edited by 

Blackburn, van Benthem, and Wolter ( 

2006) 



Using modal logic to formalise knowledge and belief suggests that one 
has an idealised version of these notions in mind. The discussion in Sec¬ 


tion 1.2.5 is only the tip of the iceberg. Further discussion of logical omni¬ 


science can be found in (Stalnaker, 1991 Sim, 1997) and in (Fagin et al. 
Chapter 9). There is a wealth of discussion in the philosophy and 


1995 


psychology literature of the axioms and their reasonableness (Koriat, 1993 


Larsson, 2004, Zangwill 2013). Perhaps the most controversial axiom of 


knowledge is 5; which was dismissed in the famous claim by Donald Rums¬ 
feld that there are ‘unknown unknowns’ (see http://en.wikipedia.org/ 
wiki/There_are_known_knowns). Some approaches for dealing with lack 
of knowledge using awareness avoid this axiom (and, indeed, all the others); 
see Chapter 3. 
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Broadly speaking, philosophers usually distinguish between the truth 
of a claim, our belief in it, and the justification for the claim. These are 
often considered the three key elements of knowledge. Indeed, there are 
papers that define knowledge as justified true belief. There has been much 
debate of this definition, going back to Gettier’s (1963) Is justified true belief 
knowledge?. Halpern, Sarnet, and Segev (2009) provide a recent perspective 
on these issues. 

The notion of common knowledge is often traced back to the philosopher 
David Lewis’s (1969) independently developed by the sociologist Morris 
Friedell (1969). Work on common knowledge in economics was initiated by 
Robert Aumann (1976); John McCarthy’s (1990) work involving common 
knowledge had a significant impact in the field of artificial intelligence. 
Good starting points for further reading on the topic of common knowledge 
are by Vanderschraaf and Sillari (2014) and by Fagin et al. (1995 Chapter 
6). Section 9.5 compares the notions of common knowledge with that of 
common belief. 

Distributed knowledge was discussed first, in an informal way, by Hayek 
(1945), and then, in a more formal way, by Hilpinen (1977). It was rediscov¬ 
ered and popularized by Halpern and Moses (1990), who originally called 
it implicit knowledge. 

The notion of bisimulation is a central notion in modal logic, providing 
an answer to the question when two models are ‘the same’ and is discussed 


in standard modal logic texts ( Blackburn et al.[ 2001, 2006). Bisimulation 
arises quite often in this book, including in Chapters 5, 6, and 7. 

We mentioned below Theorem 1.8, when discussing complexity of va¬ 
lidity, that some recent advances make NP-complete problems seem more 
tractable: for this we refer to work by Gomes, Kautz, Sabharwal, and 


Selman (2008). 


We end this brief discussion of the background literature by provid¬ 
ing the pointers to the technical results mentioned in our chapter. The¬ 
orem 0 gives some standard valid formulas for several classes of models 
(see |Fagin et al. (1995, Chapter 2.4) for a textbook treatment). Theo¬ 
rem |1.2| is a folk theorem in modal logic: for a proof and discussion, see 
Blackburn et al. (2006, Chapter 2.3). Proposition 1.3 is proved by Faginj 


et al. (1995) as Theorem 3.2.2 (for the case X = Kf) and Theorem 3.2.4 (for 


X = T,S4,lCD4h, and 55). Proposition 1.4 is Proposition 3.2.1 by Fagin| 


et al. (1995). Theorem 1.8 is proved by Halpern and Moses (1992). 


Although the first proofs of completeness for multi-agent versions of ax¬ 
iom systems of the form X m and XC m are by Halpern and Moses (1992), 
the ideas go back much earlier. In particular, the basic canonical model 


construction goes back to Makinson (1966) (see Blackburn et al. (2001 


Chapter 4) for a discussion), while the idea for completeness of axiom sys- 
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terns of the form XC is already in the proof of Kozen and Parikh (1981) for 
proving completeness of dynamic logic. Completeness for axiom systems 
of the form XD was proved by Fagin, Halpern, and Vardi (1992) and by 


van der Hoek and Meyer 

(1992 

). A novel proof is provided by 

Wang 

(2013 


Chapter 3). Theorem 1.6 is part of logical folklore. A proof of Theorem 1.7 


was given by French, van der Hoek, Iliev, and Kooi (2013). 
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